Cross-Border Data Access Reform

A Primer on the Proposed U.S.-U.K. Agreement

September 13, 2017

Abstract

Cross-border data access reform may be on the legislative agenda in late 2017, with recent House and Senate judiciary committee hearings revisiting the topic. In light of this increasing interest, we thought it would be helpful to provide a brief primer on how cross-border data access requests currently work, options for reform, and major challenges to reform ahead. This document presents a short, high-level background review of the debate as it currently stands, particularly focusing on the DOJ’s 2016 proposal for reform.*

Governments need evidence to investigate and prosecute crimes, but increasingly that evidence takes the form of data stored on the servers of U.S. tech companies. In July 2016, the U.S. Department of Justice (DOJ) released draft legislation that would address some of the challenges foreign governments face when seeking data related to criminal investigations from U.S. companies. Interest in making such changes continues to grow, with relevant laws, including the Electronic Communications Privacy Act (ECPA), maybe seeing Congressional attention in late 2017, especially as the Foreign Intelligence Surveillance Act (FISA) comes up for renewal.

To access electronic content – including email, social media messages, and more – held by U.S. companies, a foreign country currently relies primarily on the processes set out in agreements called Mutual Legal Assistance Treaties (MLATs), if that country has negotiated one with the U.S. MLATs with the U.S. require countries to meet U.S. legal standards when making requests for electronic content data, with less strict standards for metadata. Countries have grown frustrated with both the normative implications of the MLAT process and its typical lengthiness.

After substantial debate, and with many proposed ideas from civil society, industry, and academia, the Department of Justice (DOJ) in July 2016 released draft legislation intended to address these concerns. The proposal moves away from the treaty-based system currently underpinning the mutual legal assistance process. Instead, the new legislation would require “lighter touch” bilateral agreements on this issue between the United States and participating countries. Once countries are approved for these bilateral agreements, the legislation would allow them to submit requests for data, made pursuant to the requesting countries’ laws and stipulations in the legislation, directly to U.S. electronic service providers, instead of first going through U.S. courts. The U.K. would likely be the first country approved to make requests under this new legislation, but the legislation would also pave the way for agreements with other qualifying countries. This legislation advances a legal solution for cross-border data access that proponents hope is sufficiently appealing to foreign governments to forestall more damaging alternative responses to data access concerns, including country-wide service bans, mandated data localization, or forcing companies to make decisions in the face of a conflict of laws.

* This publication is an adaptation of a briefing document originally created by the authors to inform discussions in the Berklett Cybersecurity project meetings about the proposed U.S.-U.K. agreement on cross-border data sharing and related issues.

About the Berklett Cybersecurity Project

Launched in 2015, the Berklett Cybersecurity project is a unique forum for discussing true and important, and often novel, facts, and perspectives, and achieving surprising consensus on enduring questions of cybersecurity.  The project is led by Prof. Jonathan Zittrain and former National Security Agency (NSA) Director of Compliance John DeLong, in close collaboration with security technologist Bruce Schneier, and Matthew Olsen, the former Director of the U.S. National Counterterrorism Center (NCTC). More information about the project can be found on the Berkman Klein Center’s website: http://cyber.harvard.edu/research/cybersecurity

The Berklett Cybersecurity project is generously supported by the William and Flora Hewlett Foundation. Research efforts that contributed to this publication were also supported by the John D. and Catherine T. MacArthur Foundation and the Ford Foundation. 

Last updated

September 14, 2017